Commit 1b5dff33 authored by Guillaume Roguez's avatar Guillaume Roguez Committed by Nicolas Jager

TcpSocketEndpoint: fix peer certificate comparaison

Compare only public Id is not secure enough to ensure
certificate comparaison.
Use a byte-comparaison to verify the peer certificate
during TLS certificate checkings.

Change-Id: Ic90877ba3722e69d833f3adf841b3ebde8e44d9f
Reviewed-by: default avatarNicolas Jäger <nicolas.jager@savoirfairelinux.com>
parent 16551fc6
......@@ -324,7 +324,7 @@ TlsSocketEndpoint::Impl::verifyCertificate(gnutls_session_t session)
for (unsigned i=0; i<cert_list_size; i++)
crt_data.emplace_back(cert_list[i].data, cert_list[i].data + cert_list[i].size);
auto crt = dht::crypto::Certificate {crt_data};
if (crt.getId() != peerCertificate.getId()) {
if (crt.getPacked() != peerCertificate.getPacked()) {
RING_ERR() << "[TLS-SOCKET] Unexpected peer certificate";
return GNUTLS_E_CERTIFICATE_ERROR;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment